US10296741B2ActiveUtilityA1

Secure memory implementation for secure execution of virtual machines

88
Assignee: IBMPriority: Jul 27, 2017Filed: Jul 27, 2017Granted: May 21, 2019
Est. expiryJul 27, 2037(~11.1 yrs left)· nominal 20-yr term from priority
G06F 21/78G06F 13/404G06F 21/556G06F 21/6281G06F 21/53G06F 2009/45587G06F 13/364G06F 12/1441G06F 9/45558G06F 2221/034G06F 2212/1052
88
PatentIndex Score
4
Cited by
38
References
8
Claims

Abstract

An embodiment involves secure memory implementation for secure execution of virtual machines. Data is processed in a first mode and a second mode, and commands are sent to a chip interconnect bus using real addresses, wherein the chip interconnect bus includes a number of bits for the real addresses. A memory controller is operatively coupled to a memory component. A secure memory range is specified by using range registers. If the real address is detected to be in the secure memory range to match a memory component address, a real address bit is set. If the real address is in the memory address hole, a security access violation is detected. If the real address is not in the secure address range and the real address bit is set, the security access violation is detected.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer system comprising:
 a hardware processor to process data in a first mode and a second mode, and send commands to a chip interconnect bus using real addresses, wherein the chip interconnect bus transports a number of bits for the real addresses, wherein the chip interconnect bus is larger than a number of bits needed for a maximum memory range supported by the computer system, and wherein a first portion of the bits for real addresses which are not in the range of the supported maximum memory range is used to indicate whether to operate in the first mode or the second mode creating a memory address hole; 
 a memory controller operatively coupled to a memory component; 
 the hardware processor further is capable of performing a method comprising:
 specifying a secure memory range by using range registers; 
 responsive to determining that the real address is detected to be in the secure memory range to match a memory component address, setting a real address bit; 
 responsive to determining that the real address is in the memory address hole, detecting a security access violation; and 
 responsive to determining that the real address is not in the secure address range and the real address bit is set, detecting the security access violation. 
 
 
     
     
       2. The computer system of  claim 1 , wherein the chip interconnect bus operatively coupled to bus slaves which are configured to be part of a secure memory or a normal memory, in accordance with the each of the bus slaves trusted or non-trusted functionality specified by the real address bit stored in a register. 
     
     
       3. The computer system of  claim 2 , wherein the hardware processor further is capable of performing a method comprising:
 responsive to determining that the real address bit is set to a first value, restricting one of the bus slaves from accessing the secure memory and detecting the security access violation. 
 
     
     
       4. The computer system of  claim 3 , further comprising:
 a bus master operated, by the hardware processor, to write into the normal memory, wherein the bus master is a component of a base address register and modified to send commands to the chip interconnect bus, and wherein the bus slaves respond to the commands; 
 responsive to an untrusted block initiating the commands, the bus master operated, by the hardware processor, to set one of the bits for the real address to the first value; and 
 responsive to the untrusted block attempting to access secure components, reporting an error. 
 
     
     
       5. The computer system of  claim 1 , wherein the computer system includes a configuration register configured to select the bits of the real addresses, based on the computer system memory configuration. 
     
     
       6. The computer system of  claim 5 , wherein the computer system memory configuration is selected from a plurality memory configurations, and wherein one of the plurality of memory configurations does not include a secure memory. 
     
     
       7. The computer system of  claim 1 , wherein the first mode is a normal operation mode and the second mode is a secure operation mode. 
     
     
       8. The computer system of  claim 1 , wherein the memory component includes dual in-line memory modules (DIMMs), and wherein the memory component includes at least one of: a direct attached memory component and a memory buffer chip.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.